Credentials issued by Keystone
Keystone issues two values for an integration.| Credential | Used as | Where to use it |
|---|---|---|
| API key | <api_key> | x-api-key header on catalog requests |
| Integration ID | <integration_id> | partnerId during OTP verification and x-partner-id on commerce requests |
- Keep the API key on your server. Do not expose it in mobile apps, browser clients, logs, analytics tools, or public repositories.
- Treat the API key as a secret. Ask Keystone to rotate it immediately if it is exposed.
- Use the API key only for catalog reads: categories, products, product detail, and search.
- Do not send
partnerIdon catalog requests. The API key already identifies which catalog to return. - Use the integration ID only where the API explicitly asks for
partnerIdorx-partner-id. - Customer access tokens are user-specific. Do not share one customer’s token with another customer or background job.
API key
Catalog endpoints use the API key issued by Keystone in thex-api-key header.
partnerId in catalog URLs, query params, or request bodies.
Keep this key server-side. Do not ship it in mobile apps or browser clients.
Customer JWT
Customer endpoints use a bearer token. Checkout, wallet, support, and return requests also requirex-partner-id.
x-partner-id on requests that create or read commerce data, using the integration ID issued by Keystone.
Send OTP
| Method | Endpoint | Auth |
|---|---|---|
POST | /auth/otp/send | None |
Verify OTP
| Method | Endpoint | Auth |
|---|---|---|
POST | /auth/otp/verify?partnerId={partnerId} | None |
partnerId is required when registering a new customer. Use the integration ID issued by Keystone.
Request:
Refresh token
| Method | Endpoint | Auth |
|---|---|---|
POST | /auth/refresh | None |
Logout
| Method | Endpoint | Auth |
|---|---|---|
POST | /auth/logout | Bearer token |